https://community.cisco.com/t5/network-access-control/restricting-access-to-ssids/m-p/2027618#M157547 <HTML><HEAD></HEAD><BODY><P>You will need a way to distinguish your guest users from "internal users". I assume there is some attribute in AD that will allow this</P><P></P><P>Assuming this to be the case then would add two new conditions to the authorization policy</P><P>- User/Guest flag (assume can get this from AD)</P><P>- called-station-id (RADIUS attribute). This attributes includes the SSID at the end</P><P></P><P>Can then define rules</P><P></P><P>If User/Guest flag equals "Guest" and called-station-id ends-with "Guest SSID" then &lt;&lt;&lt;&lt; allow access. Assign permissions</P><P>If User/Guest flag equals "Internal" and called-station-id ends-with "Internal SSID" then &lt;&lt;&lt;&lt; allow access. Assign permissions</P><P></P><P>default rule would be to deny access</P></BODY></HTML> Tue, 30 Oct 2012 13:43:28 GMT jrabinow 2012-10-30T13:43:28Z https://community.cisco.com/t5/network-access-control/restricting-access-to-ssids/m-p/2027617#M157541 <P>Hi,</P><P>I have Configured a WLAN with WiSM2 Controller installed on a 6500 series, Aironet 3600series APs and&nbsp; ACS 5.3 for userauthentication. The ACS is connected to Active directory so users are authenticating using the AD (802.1x is used and not a pre-shared key) on SSID A. I have created a separate SSID B for guest users. I have put restrictions on this SSID. Guest users are also created on the same AD where internal users are created. How can I force Guest users to connect to SSID B and not be able to connect to SSID A? Currently they can connect to both.</P><P>Please help!</P><P></P><P>Stanslaus.</P> Mon, 11 Mar 2019 02:44:07 GMT https://community.cisco.com/t5/network-access-control/restricting-access-to-ssids/m-p/2027617#M157541 IT_Data_CorporateNet 2019-03-11T02:44:07Z https://community.cisco.com/t5/network-access-control/restricting-access-to-ssids/m-p/2027618#M157547 <HTML><HEAD></HEAD><BODY><P>You will need a way to distinguish your guest users from "internal users". I assume there is some attribute in AD that will allow this</P><P></P><P>Assuming this to be the case then would add two new conditions to the authorization policy</P><P>- User/Guest flag (assume can get this from AD)</P><P>- called-station-id (RADIUS attribute). This attributes includes the SSID at the end</P><P></P><P>Can then define rules</P><P></P><P>If User/Guest flag equals "Guest" and called-station-id ends-with "Guest SSID" then &lt;&lt;&lt;&lt; allow access. Assign permissions</P><P>If User/Guest flag equals "Internal" and called-station-id ends-with "Internal SSID" then &lt;&lt;&lt;&lt; allow access. Assign permissions</P><P></P><P>default rule would be to deny access</P></BODY></HTML> Tue, 30 Oct 2012 13:43:28 GMT https://community.cisco.com/t5/network-access-control/restricting-access-to-ssids/m-p/2027618#M157547 jrabinow 2012-10-30T13:43:28Z https://community.cisco.com/t5/network-access-control/restricting-access-to-ssids/m-p/2027619#M157558 <HTML><HEAD></HEAD><BODY><P>I was going to suggest a similar way to the post above ^</P><P></P><P>If you're using AD, you can enforce policies based on your schema to set the guest users to connect that network by default. You can't hide a single network without hiding the other unless you use some form of policy on your pdc and AAA. </P><P></P><P>Let us know how you get on.</P></BODY></HTML> Tue, 30 Oct 2012 13:48:50 GMT https://community.cisco.com/t5/network-access-control/restricting-access-to-ssids/m-p/2027619#M157558 Oliver Eve 2012-10-30T13:48:50Z https://community.cisco.com/t5/network-access-control/restricting-access-to-ssids/m-p/2027620#M157582 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P>Perfect!!! It works. Actually what i did is to create a Security groups 'GUESTS' in AD. Then create the below rule in ACS:</P><P></P><P>'AD-AD1:ExternalGroups contains any MYDOMAIN.com/Groups/Security Groups/GUESTS And RADIUS-IETF:Called-Station-ID ends with INTERNALSSID DenyAccess'</P><P></P><P>As my objective was to deny Guests to connect to the internal SSID, then any user who is a member of that security group will be unable to connect but will be able to connect to GUESTSSID via another&nbsp; rule which allows a member of Guests to connect to the GUESTSSID.</P><P></P><P>Again thank you very much!</P><P></P><P>Stanslaus.</P></BODY></HTML> Wed, 31 Oct 2012 12:10:29 GMT https://community.cisco.com/t5/network-access-control/restricting-access-to-ssids/m-p/2027620#M157582 IT_Data_CorporateNet 2012-10-31T12:10:29Z https://community.cisco.com/t5/network-access-control/restricting-access-to-ssids/m-p/2027621#M157600 <P>Hi ,</P><P>Actually I am also facing the same issue where I want to restrict one ssid to one group wherein that group will not able to connect any other ssid.</P><P>Currently m having 7.4.121 WLC controller and ISE 1.2.1 can any one tell me how to configure this requirment.</P><P>&nbsp;</P><P>Regards</P><P>Pranav</P> Wed, 13 Aug 2014 13:08:34 GMT https://community.cisco.com/t5/network-access-control/restricting-access-to-ssids/m-p/2027621#M157600 Pranav Gade 2014-08-13T13:08:34Z